b'INFORMATION SECURITY PROGRAM\n     Department of Transportation\n\n     Report Number: FI\xe2\x80\x932008\xe2\x80\x93001\n     Date Issued: October 10, 2007\n\x0c           U.S. Department of\n                                                  Memorandum\n           Transportation\n           Office of the Secretary\n           of Transportation\n           Office of Inspector General\n\n\nSubject:   ACTION: Audit of Information Security                     Date:    October 10, 2007\n           Program, Department of Transportation\n           Report Number: FI-2008-001\n  From:    Calvin L. Scovel III                                   Reply to\n                                                                  Attn. of:   JA\xe2\x80\x9320\n           Inspector General\n\n    To:    Chief Information Officer\n\n           This report presents the results of our annual audit of the information security\n           program at the Department of Transportation. In accordance with the Federal\n           Information Security Management Act of 2002 (FISMA), our objective was to\n           determine the effectiveness of the Department\xe2\x80\x99s information security program,\n           especially in the areas of (1) meeting the minimum Government security standards\n           to protect sensitive information systems and data, (2) establishing a secure\n           network operating environment at the Department\xe2\x80\x99s new Headquarters building\n           and other key locations, (3) correcting security weaknesses identified previously in\n           the air traffic control system, and (4) implementing earned value management to\n           better monitor major information technology (IT) investment projects.\n\n           We are also contributing to the annual departmental FISMA report by answering\n           questions specified by the Office of Management and Budget (OMB). This is\n           included as Exhibit A. Similar to last year, we tested a representative subset of\n           departmental systems, including contractor-operated and/or -maintained systems\n           that had undergone systems security certification reviews, in order to determine\n           whether the Department had complied with Government standards for (1)\n           assessing system risks, (2) identifying security requirements, (3) testing security\n           controls, and (4) accrediting systems as able to support business operations. We\n           also performed a detailed follow-up review of the Department\xe2\x80\x99s process for\n           managing remediation of known security deficiencies.\n\n           This performance audit was conducted in accordance with Generally Accepted\n           Government Auditing Standards prescribed by the Comptroller General of the\n           United States. Details of our scope and methodology are described in Exhibit B.\n\x0c                                                                                                                     2\n\n\nINTRODUCTION\n\nFISMA requires Federal agencies to identify and provide security protection\ncommensurate with the risk and magnitude of harm resulting from the loss of,\nmisuse of, unauthorized access to, disclosure of, disruption to, or modification of\ninformation collected or maintained by or on behalf of an agency. The\nDepartment maintains one of the largest portfolios of IT systems among Federal\ncivilian agencies; it is therefore essential that the Department protect these\nsystems, along with their sensitive data. In fiscal year (FY) 2007, the\ndepartmental IT budget totaled about $2.6 billion.\n\nThe Department has 13 Operating Administrations. During FY 2007, all\nOperating Administrations except the Federal Aviation Administration (FAA), the\nFederal Railroad Administration (FRA), 1 and the Surface Transportation Board\nwere relocated to the new Headquarters. As part of the Headquarters relocation,\nthe Department consolidated individual Operating Administrations\xe2\x80\x99 network\ninfrastructures (e-mail, desktop computing, and local area networks) into a\ncommon IT infrastructure\xe2\x80\x94one of the IT consolidation target projects identified\nby the Department in FY 2003. 2\n\nFor FY 2007, the Department is reporting a total of 429 computer systems\xe2\x80\x943\nmore than last year, of which 60 percent are FAA systems. Among the systems\nthe Department maintains and operates is the air traffic control system, which the\nPresident has designated part of the critical national infrastructure. Other systems\nowned by the Department include safety-sensitive surface transportation systems\nand financial systems that are used to manage and disburse over $50 billion in\nFederal funds each year. Systems inventory counts for FY 2006 and FY 2007 for\neach Operating Administration are detailed in Exhibit C.\n\n\nRESULTS IN BRIEF\nFY 2007 was a particularly challenging year for the Department in managing its\nIT resources. In addition to establishing a common IT infrastructure for the new\nHeadquarters, it had to review, test, and certify security protection in more than\nhalf of its information systems to meet the recertification requirement.\n\nWhile the Department has completed most of the scheduled security recertification\nreviews, the overall effectiveness of its information security program declined this\nyear because management had to divert resources and attention to resolving\n\n1\n    FRA will be relocated in early FY 2008.\n2\n    The initial network consolidation was limited to Headquarters operations. Operating Administrations are still\n    responsible for supporting network operations to their field offices. The Federal Highway Administration is leading\n    a task force to evaluate consolidation of field network infrastructure.\n\x0c                                                                                                3\n\n\nHeadquarters move-related issues. 3 Specifically, management did not meet\nGovernment security standards to protect information systems and did not take\nsufficient action to correct identified security deficiencies. We also found that\ncommercial software products used in departmental systems were not configured\nin accordance with security standards and security incidents were incompletely\nand/or inaccurately reported.\n\nIn terms of correcting the two security weaknesses identified previously in the air\ntraffic control system\xe2\x80\x94contingency planning and review of operational air traffic\ncontrol systems security\xe2\x80\x94FAA demonstrated renewed initiative in undertaking\nmultiyear correction efforts starting in FY 2007. FAA also made modest progress\nin enhancing the implementation of earned value management for major IT\ninvestment projects. Nonetheless, challenges remain in both areas.\n\nThese issues are summarized below and detailed in the Findings section,\nbeginning on page 8.\n\nFailure to Meet Government Security Standards to Protect Information\nSystems. According to the National Institute of Standards and Technology\n(NIST), risk categorization is key in determining the level of security protection\nneeded for individual systems. Systems categorized as having a high-risk impact\non the agency\xe2\x80\x99s mission are required to meet a more stringent security standard\nthan moderate- or low-risk-impact systems. These security standards (referred to\nas minimum security requirements) became mandatory for Federal agencies in\nMarch 2007.\n\nLast year we reported a concern in the Department\xe2\x80\x99s risk categorization.\nSpecifically, FAA categorized all air traffic control systems as having a\nmoderate-risk impact. We also reported that departmental systems would likely\nrequire security upgrades to meet the minimum security standards in\nFY 2007. We continue to find deficiencies in risk categorization and insufficient\nimplementation of minimum security protection.\n\n\xe2\x80\xa2 Risk Categorization. NIST guidance emphasizes the importance of performing\n  risk categorization on an entitywide basis versus at the individual bureau level.\n  During FY 2007, the departmental Chief Information Officer (CIO) issued a\n  draft policy requiring high-risk-impact categorization of systems used to\n  support the Nation\xe2\x80\x99s critical infrastructure. However, the policy has resulted in\n  little change at FAA. Among about 100 systems used to direct air traffic\n  control operations\xe2\x80\x94surveillance, navigation, landing, communications,\n  weather, and flight plan processing\xe2\x80\x94none were reported as having a high-risk\n  impact. Instead, the 19 systems reported by FAA as high-risk impact are\n  primarily for administrative functions, such as the procurement system and\n3\n    During FY 2007, no significant service disruptions to departmental systems were reported.\n\x0c                                                                                                                  4\n\n\n      local-area-network systems. Although FAA claims that air traffic control\n      systems are properly protected, it has no assurance that minimum security\n      standards are being met in protecting these systems in accordance with NIST\n      standards and departmental directives for system categorization and testing of\n      the appropriate security controls. After this issue was brought to management\xe2\x80\x99s\n      attention, the departmental CIO, the FAA Acting Deputy Administrator, and\n      the FAA CIO all agreed to collaborate with Air Traffic Organization business\n      owners to ensure that air traffic control systems are individually reviewed and\n      categorized in accordance with NIST standards and DOT policy, as a key\n      priority for FY 2008.\n\n\xe2\x80\xa2 Minimum Security Protection. Agencies are required to implement different\n  levels of security protection for individual systems based on risk\n  categorization. Our review of 21 sample systems from the departmental\n  inventory revealed that 11 systems from 7 Operating Administrations did not\n  meet the minimum security requirements for the risk category assigned to\n  them. For example, there were instances in which records containing sensitive\n  personally identifiable information are transmitted on the network in clear text.\n  The minimum security standards require such information to be encrypted\n  during transmission.\n\n\xe2\x80\xa2 Certification Review of the New IT Infrastructure. Another challenge facing\n  the Department is that it has not completed the security certification review of\n  the common IT infrastructure at the new Headquarters, which is used to\n  support more than 80 application systems, such as grants management systems,\n  safety inspection systems, and various administrative systems. This happened\n  because the Department experienced complications with the electrical power\n  supply in the new Headquarters and had to move the application systems to a\n  commercial vendor site before it could complete reviewing, testing, and\n  accrediting the expanded common IT environment. Until the planned review\n  of the common infrastructure is completed, management cannot provide\n  security assurance for the 80-plus application systems because the common IT\n  infrastructure, if not properly secured, could cause security risks to all systems\n  operating on the infrastructure. 4 The Department needs to retest systems\n  security in these application systems after certifying the expanded IT\n  infrastructure as adequately secure.\n\nInsufficient Action to Correct Identified Security Deficiencies. Security\ndeficiencies identified during security certification reviews are tracked and\nprioritized for correction through a process called Plan of Action and Milestones\n(POA&M). Last year we reported that management had improved this process\nsignificantly to ensure that correction items were prioritized and completed in a\n\n4\n    The Department plans to complete testing of the expanded common IT environment for security accreditation in the\n    near future.\n\x0c                                                                                  5\n\n\ntimely manner. This year, we found that management did not exercise the same\namount of attention to correct identified security deficiencies. Most Operating\nAdministrations still do not have a formalized process to guide this effort. In\naddition, the CIO has not yet finalized the departmental POA&M Handbook to\nmanage the identified weaknesses during the life cycle.\n\nWe found that 30 percent of planned corrections (901 out of a total of about 3,000\nidentified security deficiencies) are overdue for more than 6 months past their\nscheduled completion dates. We also found cost estimates to fix 60 percent of the\napproximately 3,000 identified security deficiencies missing. Details of Operating\nAdministrations responsible for delayed corrections and missing cost estimates are\non page 12. This is a clear reversal of the improvement we witnessed last year.\n\nWithout reliable cost estimates, management cannot make informed decisions to\nprioritize use of limited resources. This may have resulted in delays in and\ncancellation of planned correction efforts. For example:\n\n\xe2\x80\xa2 Cost estimates were missing from 91 percent of overdue correction items,\n  including 3 critical deficiencies, such as ineffective password protection to\n  limit user access.\n\n\xe2\x80\xa2 Cost estimates were also missing from 98 percent of canceled correction items,\n  including 2 critical deficiencies. Cancelled items are security deficiencies for\n  which management accepted the risk of not making corrections. For example,\n  management decided to accept the risk of not having proper password controls\n  for system administrators for a system used by FAA to manage air traffic\n  control flow.\n\nContinuous Deficiencies in Network Computers\xe2\x80\x99 Configuration. To reduce\nthe risk of hostile attack based on known vulnerabilities in commercial off-the-\nshelf software, such as the Windows operating systems and Oracle database\nsystems, agencies are required to configure such commercial software in\naccordance with NIST or agency security standards. Last year we reported that\nOperating Administrations\xe2\x80\x99 submissions to the CIO office to support their\ncompliance with configuration standards were incomplete and inconclusive. As a\nresult, the Department had no assurance that the commercial software was\nproperly configured to reduce the risk of being attacked. We found little progress\nmade in this area during FY 2007, and departmental network computers remain\nvulnerable to possible attacks due to improper configuration.\n\nIn addition, with the new common IT infrastructure, the Department faces a new\nsecurity challenge. The new infrastructure has significantly expanded its ability to\nhave secure connections on the Internet by using virtual private network (VPN)\naccess. This has positioned the Department well to support the telecommuting\n\x0c                                                                                                                      6\n\n\ninitiative and continuity of business operations. However, when employees\nconnect their home computers to departmental networks, they create security\nexposure because their home computers may not be properly secured. 5\nManagement should explore more secured alternatives to support telecommuting.\n\nIncomplete and Inaccurate Reporting of Security Incidents. During FY 2007,\nFAA did not report 40 6 cyber security incidents to the Department and, in turn, to\nthe central Government authority, the United States Computer Emergency\nReadiness Team (US\xe2\x80\x93CERT). Most of these incidents involved viruses in FAA\ncomputers. This happened partially because of inconsistent reporting practices\nwithin FAA. Employing a consistent reporting practice in line with established\ndepartmental policies and procedures should be a prerequisite for FAA to provide\nincident monitoring and reporting services to other Operating Administrations\xe2\x80\x94a\nnew initiative starting in FY 2008. This initiative was recently approved by the\nDepartment in preparation for FAA to become a shared service provider to other\nGovernment agencies for cyber incidence monitoring and reporting.\n\nTo better prepare it to become a shared service provider, FAA also needs to\nenhance its performance measurement reporting to senior management on security\nincidents. We noticed inaccurate reporting in last year\xe2\x80\x99s FAA Performance and\nAccountability Report. During FY 2006, FAA had to shut down a portion of air\ntraffic control systems because of security events. While FAA did a commendable\njob in cleaning up the infected computers and enhancing the underlying\nconfiguration management controls, it nonetheless reported to the Secretary,\nOMB, and the Congress in its annual Performance and Accountability Report that\n\xe2\x80\x9cno successful cyber events that significantly disabled or degraded our service\xe2\x80\x9d\nhad taken place.\n\nRenewed Initiatives in Correcting Air Traffic Control System Security\nWeaknesses. The President has designated air traffic control systems as part of\nthe Nation\xe2\x80\x99s critical infrastructure due to the important role commercial aviation\nplays in fostering and sustaining the national economy and ensuring citizens\xe2\x80\x99\nsafety and mobility. In FY 2004, we reported deficiencies in protecting this\ncritical infrastructure in two areas: (1) continuity planning to restore essential air\nservice in case of prolonged service disruptions at en route centers and (2) review\nof operational air traffic control systems security outside of the computer\nlaboratory. Last year, we reported inadequate progress in both areas. FAA senior\nmanagement pledged aggressive action.\n\n\n5\n    Security concerns on telework have been raised recently among other Federal agencies. For example, the Department\n    of Justice has decided to ban the use of home computers for telework.\n6\n    FAA claimed that 31 of these 40 incidents were either repeated or duplicated incidents that should have been\n    previously reported to the Department. However, FAA was not able to provide any evidence that the original\n    incidents had been reported. In addition, FAA indicated that two incidents were false-positives and therefore did not\n    need to be reported, even though they were not recorded as false-positives in FAA\xe2\x80\x99s official log.\n\x0c                                                                                 7\n\n\nDuring FY 2007, under the Deputy Administrator\xe2\x80\x99s (now Acting Administrator)\ndirection, FAA undertook renewed initiatives and made modest progress in both\nareas, such as developing a concept of operations for business continuity planning\nand a methodology to select high-risk operational air traffic control systems for\nsecurity review. However, these are multiyear efforts, for which FAA still faces\nmany uncertainties. Due to the sensitivity of air traffic control systems, we will\nissue a separate report detailing the progress and potential challenges associated\nwith these corrective actions along with recommendations.\n\nModest Progress in Implementation of Earned Value Management. During\nFY 2007, the Department revised its Investment Review Board\xe2\x80\x99s charter by\ndelegating more responsibilities to individual OA review boards to oversee their\nspecific IT investments. Regardless of the change in governance responsibility,\nestablishing clear measurement benchmarks to evaluate major investment projects\nsuch as earned value management (EVM) is key to success. Last year we found\nthat only 23 percent of major departmental IT investment projects met at least half\nof OMB\xe2\x80\x99s criteria for EVM implementation. During FY 2007, 35 percent of all\nmajor departmental IT investment projects met at least half of OMB\xe2\x80\x99s criteria for\nEVM implementation, a modest increase from last year. Continued enhancements\nin EVM implementation to ensure fiscal discipline with major investment projects\nis especially critical in today\xe2\x80\x99s tight economic environment.\n\nWe are making a series of recommendations, beginning on page 23, to help the\nDepartment continue to strengthen its information security program and better\noversee major IT investments. In summary, we are recommending that the Chief\nInformation Officer:\n\n\xe2\x80\xa2 Enhance the protection of information systems by ensuring that Operating\n  Administrations comply with new Government security standards when\n  completing their certification and accreditation reviews,\n\xe2\x80\xa2 Enhance correction of identified security deficiencies by working with\n  Operating Administrations to develop measures of accountability that would\n  hold Operating Administration officials responsible for timely correction of\n  security weaknesses,\n\xe2\x80\xa2 Enhance network security by establishing a methodology, including use of\n  automated tools, to verify that commercial software products are configured in\n  accordance with security standards, and evaluating alternatives to using home\n  computers to support telework,\n\xe2\x80\xa2 Ensure accurate reporting of security incidents, and\n\xe2\x80\xa2 Enhance the Department\xe2\x80\x99s implementation of EVM by establishing goals for\n  improvement.\n\nA draft of this report was provided to the Department\xe2\x80\x99s Chief Information Officer\non September 28, 2007. On October 4, we received the Department\xe2\x80\x99s Chief\n\x0c                                                                                  8\n\n\nInformation Officer\xe2\x80\x99s response, which can be found in the appendix. The Chief\nInformation Officer generally concurred with the report\xe2\x80\x99s findings and\nrecommendations and will provide details in 30 days, describing the specific\nactions and milestones that will be taken to implement the recommendations.\n\n\nFINDINGS\n\nGovernment Security Standards to Protect Information Systems\nWere Not Met\n\nIn our FY 2006 FISMA report, we stated that the Department faced several\nchallenges in implementing and monitoring security controls to meet Government\nstandards. This year, we found continued deficiencies in risk categorization of\nsensitive systems and implementation of security upgrades required to meet\nGovernment standards. In addition, security recertification review of the\nexpanded IT infrastructure at the new Headquarters has not been completed. As a\nresult, management has no security assurance for the 80-plus application systems\noperating on this infrastructure.\n\nRisk Categorization for Department\xe2\x80\x99s Sensitive Systems Has Not Been\nAccurately Assessed\nLast year we reported that air traffic control systems, which are designated part of\nthe national critical infrastructure, were found to be rated low and moderate in\nterms of risk categorization. This appeared to conflict with NIST standards, which\nused air traffic control systems as an example of high-risk impact systems in the\nFederal Government.\n\nDuring FY 2007, the CIO office issued a draft policy requiring high-risk-impact\ncategorization of systems used to support the Nation\xe2\x80\x99s critical infrastructure.\nHowever, the policy has resulted in little change at FAA. In our review this year,\nof the nearly 100 FAA air traffic control systems, none had an overall security\ncategorization of high. FAA did have 19 systems rated high, most of which were\nfor administrative purposes, such as the procurement system and several local area\nnetworks. Although FAA claims that air traffic control systems are properly\nprotected, it has no assurance that minimum security standards are being met in\nprotecting these systems in accordance with NIST standards and departmental\ndirectives for system categorization and testing of the appropriate security\ncontrols.\n\nFAA management stated that if the whole air traffic control system were to be\nrated, it should be high, but each system is rated individually. Because of the\nredundancy in functionality among the systems, losing one system would not have\na severe impact. However, security controls in NIST 800-53 require that\n\x0c                                                                                                              9\n\n\nassessments be completed considering national impact, not just system-level or\norganization-level impact. If any air traffic control system that operates on a\nnational level were to go down for any reason and have a negative impact, that\nsystem should be rated high. After this issue was brought to management\xe2\x80\x99s\nattention, the departmental CIO, the FAA Acting Deputy Administrator, and the\nFAA CIO all agreed to collaborate with Air Traffic Organization business owners\nto ensure that air traffic control systems are individually reviewed and categorized\nin accordance with NIST standards and DOT policy, as a key priority for FY 2008.\n\nWe also reviewed the categorization of systems that contain personally identifiable\ninformation. In FY 2006, we reported that 28 systems containing personally\nidentifiable information were improperly rated for confidentiality, 18 were rated\n\xe2\x80\x9clow\xe2\x80\x9d and 10 were not rated. The departmental guidance states that all systems\ncontaining personally identifiable information must have a confidentially rating of\nat least \xe2\x80\x9cmoderate.\xe2\x80\x9d 7\n\nOperating Administrations have made progress during FY 2007 in upgrading their\nconfidentiality system ratings; however, three Operating Administrations are still\ndeficient in the rating of systems containing personally identifiable information.\nOf the 110 systems containing personally identifiable information that were\nreported to the CIO Privacy Office, 11 systems\xe2\x80\x99 confidentiality levels are\nimproperly rated \xe2\x80\x9clow\xe2\x80\x9d (see Table 1).\n\n                     Table 1. Confidentiality Rating of Systems\n                    Containing Personally Identifiable Information\n                                         Number of Systems            Number of Systems\n                   Operating\n                                           with Personally            with a Confidentiality\n                 Administrationa\n                                       Identifiable Information           Rating of Low\n                FAA                                          47                            1\n                FHWA                                          8                            3\n                FMCSA                                         9                            0\n                OST                                          23                            7\n                RITA                                          4                            0\n                Other Operating\n                                                                19                            0\n                Administrations\n                Total                                          110                           11\n                Data source: CIO Privacy Office Inventory of systems containing personally\n                identifiable information as of 9/7/2007.\n                a\n                  See Exhibit C for full Operating Administration names.\n\n\nUntil the systems are rated properly according to departmental policy, the\nDepartment has limited assurance that the Operating Administrations are\nimplementing and testing appropriate security controls to effectively protect\npersonally identifiable information.\n\n\n7\n    DOT Information Technology and Information Assurance Policy Number 039: Information Technology: Mapping\n    Information Systems to Risk Level Categories.\n\x0c                                                                                                          10\n\n\nMinimum    Security                 Standards           Have         Not       Been        Incorporated\nDepartmentwide\nLast year we reported that the Department needed to address stronger security\nrequirements that would come into play in March 2007, when Federal Information\nProcessing Standards (FIPS) 200 8 became effective. This standard specifies\nminimum security requirements for Federal information systems in 17\nsecurity-related areas. Federal agencies must meet the minimum security\nrequirements through the use of security controls in accordance with NIST Special\nPublication 800-53, Recommended Security Controls for Federal Information\nSystems. The applicable security controls must be documented in the system\nsecurity plan, based on the results of the security assessment or modification of\nsecurity controls in the information systems.\n\nThis year, in our review of the 21 sample systems, 11 from 7 Operating\nAdministrations did not provide support in their system security plans that their\nsystems were compliant with the new minimum security standards (see Table 2).\n\n                       Table 2. FIPS 200 Noncompliant Systems\n                                       Number of       Number of Systems Not Compliant\n                  Operating\n                                        Systems          with New Minimum Security\n                Administrationa\n                                        Sampled                   Standards\n               FAA                              9                                    2\n               FHWA                             2                                    2\n               FMCSA                            1                                    1\n               MARAD                            3                                    3\n               NHTSA                            1                                    1\n               OST                              4                                    1\n               PHMSA                            1                                    1\n               Total                          21                                    11\n               Data source: Sample Systems\xe2\x80\x99 Certification & Accreditation documents provided\n               by system owners through 9/5/2007.\n               a\n                 See Exhibit C for full Operating Administration names.\n\n\n\nThese systems are not compliant with the new security standards and could pose\nserious security risks. For example, one Operating Administration system with\nmillions of records containing personally identifiable information that are\ntransmitted across the network in clear text has not had its security plan updated\nsince before March 2006. Had this system\xe2\x80\x99s security plan been updated to comply\nwith the new minimum security standards, these records would have to be\nencrypted before they were sent across the network. Operating Administration\nmanagement stated that they were not aware of the requirements to upgrade\nsystem security to meet the Government standards prior to their scheduled system\nrecertification reviews\xe2\x80\x94some of which are not due until 2009. The CIO Office\n\n8\n    Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal\n    Information and Information Systems, March 9, 2006.\n\x0c                                                                                                                     11\n\n\nneeds to provide clear direction to Operating Administrations to ensure timely\ncompliance with Government security standards.\n\nCertification Review of the New IT Infrastructure Is Not Complete\nThe Department has not completed the security certification review of the\nexpanded common IT infrastructure at the new Headquarters. As one of the\ncritical components of the common IT infrastructure, the campus area network\n(CAN) is a backbone network infrastructure that provides connectivity among\ndepartmental Headquarters computers, the Internet, data centers, and remote\noffices. Due to electric power complications at the new Headquarters, the CAN\nwas extended to include a commercial vendor site in Maryland in FY 2007.\nCurrently, this expanded common IT infrastructure hosts more than 80 Operating\nAdministration application systems.\n\nLast year we recommended that the Department test security in the new IT\ninfrastructure before installing Operating Administration application systems. 9 As\npart of such testing, the Department conducted a security certification review for\nthe CAN. However, the security certification review did not cover the segment of\nthe network located at the commercial vendor site. This happened because the\ninitial CAN security certification review was conducted in April 2007, prior to its\nextension to the commercial vendor site.            Without completing security\ncertification reviews for the CAN, the most critical component of the\nDepartment\xe2\x80\x99s IT infrastructure, the Department cannot be assured that it is\nproviding an adequate level of security protection to its more than 80 systems\noperating on the infrastructure. 10\n\nAccording to the CIO office, it plans to complete a certification review of CAN,\nincluding its extension at the commercial vendor site, in the near future. If not\nproperly secured, the common IT infrastructure could create security risks for all\nsystems operating on the infrastructure. The Department needs to retest security\nin these application systems after certifying the expanded IT infrastructure as\nadequately secure. Because the Operating Administrations\xe2\x80\x99 system security\ncertifications rely on security controls of the CAN, any delay in completing the\ncommon IT infrastructure\xe2\x80\x99s certification would impede Operating Administration\nsystems\xe2\x80\x99 timely certification.\n\n\n\n\n9\n     OIG report \xe2\x80\x9cAudit of Information Security Program,\xe2\x80\x9d Report Number FI-2007-002, October 23, 2006.\n10\n     This consolidated IT infrastructure is also included on OMB\xe2\x80\x99s Watch List due to security concerns not related to the\n     CAN.\n\x0c                                                                                                 12\n\n\nInsufficient Action Has Been Taken To Correct Identified\nSecurity Deficiencies\n\nRemediation of system security weaknesses is a complex process involving\nanalysis, corrective action planning, budgeting, assignment of resources, and\npost-closure verification. This process begins when security weaknesses identified\nduring certification reviews of departmental systems are documented in the\nPOA&M database by the Operating Administration that owns the system. The\ninformation that is included in the POA&M database is used by management to\nensure effective oversight of the remediation process and to report the status of\ncorrecting security weaknesses.\n\nLast year we reported that the Department made noticeable improvement from the\nprevious year in tracking, prioritizing, and correcting system security weaknesses.\nA review of the POA&M information this year found that 30 percent of\ncorrections (901 out of about 3,000 identified security deficiencies) were overdue\nfor more than 6 months past their scheduled completion dates. We also found cost\nestimates to fix 60 percent of the approximately 3,000 identified security\ndeficiencies missing (see Table 3).\n\n                       Table 3. POA&Ms & Cost Estimates\n                                      Number of         Number\n                     Number of                                          Number of POA&Ms\n   Operating                        POA&Ms with           of\n                       Open                                           Overdue 6+ months past\n Administrationa                    Cost Estimates      Overdue\n                     POA&Ms                                           planned correction date\n                                     Not Identified     POA&Ms\n FAA                        2102                 942         365                                266\n FHWAb                       282                 282         250                                246\n FMCSA                        36                  27           0                                  0\n FRAb                        287                 287         287                                269\n FTA                           1                   1           0                                  0\n MARAD                         4                   4           0                                  0\n NHTSA                         5                   5           0                                  0\n OIG                           7                   2           3                                  1\n OST                         135                 126         105                                  5\n PHMSAb                      105                 105         105                                104\n RITA                         27                  27          27                                 10\n SLSDC                         0                   0           0                                  0\n STB                           0                   0           0                                  0\n            Total           2991               1808         1142                               901c\n Percent of Total          100%                 60%         38%                                30%\n Data Source: Enterprise Security Portal data as of 9/5/2007.\n a\n   See Exhibit C for full Operating Administration names.\n b\n   These Operating Administrations have a high number of POA&Ms overdue 6+ months past their\n   planned correction dates in relation to the total number of open POA&Ms.\n c\n   Of the corrections overdue for 6+ months, only 3 were categorized as high risk.\n\x0c                                                                                             13\n\n\n\n\n      Figure 1. Operating Administrations With\n       Highest Ratios of Overdue Corrections\n                                                                    FHWA, FRA, and PHMSA\n300                                                                 all had at least 90 percent\n                                                                    of their corrections overdue\n250\n                                                                    for at least 6 months (see\n200                                                                 Figure 1). This is a clear\n                                                                    reversal        of       the\n150\n                                                                    improvement we witnessed\n100                                                                 last year, when only 9\n                                                                    percent of corrections\n 50                                                                 Departmentwide          were\n  0                                                                 overdue for more than 6\n          FHWA               FRA               PHMSA                months.\n                    Open   Overdue 6+ months\n\n\nWithout reliable cost estimates, it is difficult for management to make an informed\ndecision to prioritize use of limited resources. This may have resulted in delays in\nand cancellation of planned correction efforts. For the 1142 POA&Ms recorded as\npast due, 91 percent (1040 of 1142) lack cost estimates (see Table 4).\n\n                              Table 4. Overdue POA&Ms\n                                               Number with           % Correction\n                  Risk\n                                Quantity        Cost Not               Cost Not\n                 Rating\n                                                Identified            Identified\n              High                       3                     3              100%\n              Medium                  308                   275               89%\n              Low                     831                   762               92%\n              Total                  1142                  1040               91%\n              Data Source: Enterprise Security Portal data as of 9/11/2007.\n\n\nIn addition, for the 380 items in which the risk of not correcting security\ndeficiencies was accepted by management, as indicated in the POA&M database,\n98 percent (374 of 380) lacked cost estimates (see Table 5). Management\nnormally decides to cancel items in which identified security deficiencies are\ndeemed not cost-beneficial to correct. Without adequate cost data, however,\nmanagement lacks essential information needed to make informed cancellation\ndecisions. Therefore, management may not have made proper decision in\ncancelling the 374 identified security deficiencies, including the 2 rated as high\nrisk. For example, management decided to accept the risk of not having proper\npassword controls for system administrators for a system used by FAA to manage\nair traffic control flow.\n\x0c                                                                                      14\n\n\n                        Table 5. Accepted Risk POA&Ms\n                                              Number with            % Correction\n                Risk\n                              Quantity          Cost Not               Cost Not\n               Rating\n                                               Identified             Identified\n             High                       4                      2                50%\n             Medium                    26                    26              100%\n             Low                     350                    346                99%\n             Total                   380                    374                98%\n             Data Source: Enterprise Security Portal data as of 9/11/2007.\n\n\nOperating Administration management reported they do not have a formalized\nprocess to guide this effort such as data that should be required as input for each\nidentified security weakness recorded in the database. In addition, the CIO has not\nyet finalized the departmental POA&M Handbook to manage the identified\nweaknesses during the life cycle, including required information needed as part of\nthe record in the database. Without information such as cost data, management\nlacks data needed to make an informed decision for allocating resources needed to\nprioritize or accept risk for identified security weaknesses. As a result, the\nDepartment faces delays in scheduled correction, leaving departmental systems\nexposed to vulnerabilities that could be exploited.\n\nContinuous Deficiencies Are Evident in Network Computers\xe2\x80\x99\nConfiguration\n\nBoth OMB and the Department require that the commercial off-the-shelf software\nincorporated in departmental computers, such as Windows operating systems and\nOracle database systems, be configured in accordance with security configuration\nstandards. Last year we reported that the Department had no assurance that the\ncommercial software was properly configured to reduce the risk of being attacked.\nIn FY 2007, little progress was made in this area, and departmental network\ncomputers remain vulnerable to attack due to improper configuration. Further,\nusing employees\xe2\x80\x99 home computers to access departmental networks could present\nanother security challenge because home computers may not be properly secured.\n\x0c                                                                                15\n\n\nDepartmental Systems Are Not Properly Configured in Compliance With\nSecurity Baseline Standards\n\nResponding to our recommendations last year, the Department made some\nimprovement in baseline security configuration implementation. For example, it\nstarted to use its management tracking system\xe2\x80\x94Enterprise Security Portal\n(ESP)\xe2\x80\x94to collect data from Operation Administrations about their implementation\nof departmental baseline configuration standards, explored an opportunity to\n                                                      deploy an automated tool\n Table 6. Status of Departmental Systems Meeting      that could enable the\n   Security Baseline Configuration Standards as\n      Reported by Operating Administrations\n                                                      Department to verify its\n                     Total     Number of Systems      systems\xe2\x80\x99 compliance, and\n    Operating      Number     Reported to Have Met    drafted new departmental\n Administrationsa     of        Security Baseline     Information         Systems\n                   Systems       Configuration\nFAA                      264                      15\n                                                      Security   Baseline   policy.\nFHWA                      25                       3  However, deficiencies in\nFMCSA                     23                      22  this area remain. Based on\nFRA                       20                      19  the CIO Office\xe2\x80\x99s FISMA\nFTA                        5                       5\nMARAD                     11                       0\n                                                      Weekly Scorecard from\nNHTSA                     18                      16  September 7, 2007, only\nOIG                        3                       3  126 out of 429 systems have\nOST                       42                      29  been reported by Operating\nPHMSA                      5                       5\nRITA                      10                       9\n                                                      Administrations to have met\nSLSDC                      1                       0  baseline       configuration\nSTB                        2                       0  standards (see Table 6 and\nTotal                    429                     126  Figure 2).\nData Source: Department\xe2\x80\x99s CIO Office FISMA Weekly Scorecard,\n9/7/2007.\na\n  See Exhibit C for full Operating Administration names.\n\x0c                                                                                                                                                                                        16\n\n\n  Figure 2. Operating Administrations\xe2\x80\x99 Total Systems and Percentages of\n     Systems Reported as Having Met Baseline Security Configuration\n                                Standards\n                               264\n\n\n\n                         250\n\n\n\n\n                         200\n                                                                                       100%                        100%             100%\n                                                                      96%       95%\n                                                100%                                                      89%                                  90%\n                                                 90%\n                                                 80%                                                                       69%\n                                                 70%\n                                                 60%\n                                                 50%\n     Number of Systems\n\n\n\n\n                                                 40%                                                                                                                    29%\n                                                 30%\n                                                               12%\n                                                 20%    6%\n                         150                     10%                                              0%                                                  0%       0%\n                                                  0%\n\n\n\n\n                                                                                             A\n                                                                                            IG\n                                                                                             A\n                                                                                      N D\n\n\n\n\n                                                                                             C\n                                                      SA\n\n\n\n\n                                                                                      PH T\n\n\n\n                                                                                      SL A\n                                                                            A\n\n                                                                                      M A\n\n\n\n\n                                                                                      O B\n                                                 FM A\n\n\n\n\n                                                                                             ll\n                                                       A\n\n\n\n\n                                                                                           S\n                                                                                         TS\n\n\n\n\n                                                                                          ra\n                                                                                           S\n\n                                                                                          IT\n                                                                         FR\n\n\n\n\n                                                                                           D\n                                                                                         RA\n                                                     W\n\n\n\n\n                                                                                 FT\n\n\n\n\n                                                                                         ST\n                                                   FA\n\n\n\n\n                                                                                         O\n\n\n\n                                                                                         M\n                                                                                         O\n                                                    C\n\n\n\n\n                                                                                        S\n\n\n\n                                                                                       ve\n                                                                                        R\n                                                  FH\n\n\n\n\n                                                                                       H\n                                                                                       A\n\n\n\n\n                         100\n\n\n\n\n                         50\n                                                                                                                               42\n\n\n                                                                                                                                    29\n                                           25\n                                                       23 22\n                                                                2 0 19                                 18 16\n                                     15\n                                                                                       11                                                             10   9\n                                                3                           5    5                                 3   3                   5     5\n                                                                                                                                                                    1           2\n                                                                                              0                                                                          0          0\n                          0\n                                                                                                                                           A\n                                                                                                                IG\n                                                                                                    A\n                                                                                       D\n\n\n\n\n                                                                                                                                                                 C\n                                                    SA\n\n\n\n\n                                                                                                                           ST\n\n\n\n\n                                                                                                                                                      A\n                                                               A\n\n\n                                                                         A\n\n\n\n\n                                                                                                                                                                                B\n                                           A\n                             A\n\n\n\n\n                                                                                                  TS\n\n\n\n\n                                                                                                                                      S\n                                                             FR\n\n\n\n\n                                                                                                                                                     IT\n\n\n                                                                                                                                                               D\n                                                                                      RA\n                                          W\n\n\n\n\n                                                                      FT\n\n\n\n\n                                                                                                                                                                             ST\n                           FA\n\n\n\n\n                                                                                                               O\n\n\n\n\n                                                                                                                                     M\n                                                                                                                           O\n                                                  C\n\n\n\n\n                                                                                                                                                             S\n                                                                                                                                                 R\n                                     FH\n\n\n\n\n                                                                                              H\n                                                FM\n\n\n\n\n                                                                                                                                    PH\n                                                                                 A\n\n\n\n\n                                                                                                                                                           SL\n                                                                                            N\n                                                                                M\n\n\n\n\n                                                                     Total Systems                Configuration Standards Met\n\n\n\nWe also found that the CIO Office did not verify the accuracy of Operating\nAdministrations\xe2\x80\x99 reporting. The CIO Office conducted two quarterly compliance\nreviews on 93 randomly selected departmental systems during FY 2007. The\nreviews required Operating Administrations to test the selected systems for\nbaseline configuration compliance. Operating Administrations reported that only\n52 systems have been through such a test and provided evidence of this testing.\nHowever, the CIO Office did not review the evidence provided by Operating\nAdministrations for adequacy of compliance.\n\x0c                                                                                                           17\n\n\nAs a result, the Department has no assurance that Operating Administration\ncomputer systems have been adequately configured to ensure that effective\nsecurity controls are in place. The inadequately configured systems increase\nsecurity vulnerabilities, which could have an adverse impact on departmental\noperations.\n\nUse of Employee Home Computers for Teleworking Could Create Security\nExposure\n\nThe new IT infrastructure enables the Department to rapidly expand remote access\nsuch as VPN to support the Department\xe2\x80\x99s telework initiative and continuity of\nbusiness operations. VPN allows departmental employees and contractors to\naccess information hosted on departmental networks from home or remote\nlocations. Currently, all Department user accounts are configured to have VPN\naccess. However, when employees connect their home computers to departmental\nnetworks, it creates security exposure because their computers may not be\nproperly secured. Meanwhile, the Department has no authority to regulate home\ncomputers, as indicated in the CIO\xe2\x80\x99s July 2007 testimony before the House\nCommittee on Oversight and Government Reform.\n\nWhile the Department has developed a policy for implementing secure remote\naccess, including scanning the user\xe2\x80\x99s computer security profile prior to allowing\naccess to the Department\xe2\x80\x99s network, 11 it has not been finalized. Currently, the\nDepartment has to rely on users to faithfully follow the user agreement such as\nemploying appropriate virus-prevention tools that they agreed to when VPN\nprivileges were granted. This procedural control, however, provides limited\nassurance because employees may not be fully aware how their home computers\nare configured or used by other family members. The Department of Justice\nrecently banned the use of home computers for telework because of security\nconcerns. If home computers that are not adequately secured are used to connect\nto the VPN, rather than departmental laptops, they could introduce viruses or\nmalicious code to the Department\xe2\x80\x99s networks and even become entry points of\nunauthorized access to departmental systems. Management should finalize policy\nand continue to explore more secure alternatives to support telecommuting.\n\n\n\n\n11\n     DOT IT Assurance Policy 2006-23 (draft): Secure Remote Access Implementation and Management Policy.\n\x0c                                                                                                                        18\n\n\n\n\nReporting of Security Incidents Has Been Incomplete and\nInaccurate\n\nThe Department relies on two entities\xe2\x80\x94the Transportation Cyber Incident\nResponse Center (TCIRC) and FAA Computer Security Incident Response Center\n(CSIRC)\xe2\x80\x94to promote information assurance by performing activities such as\nnetwork monitoring, intrusion detection, incident handling, and reporting.\n\nThe Department requires that all cyber security incidents 12 be reported to TCIRC.\nIt is then TCIRC\xe2\x80\x99s responsibility to report the security incidents to US\xe2\x80\x93CERT.\nWe found that CSIRC did not report all incidents to TCIRC. Based on FAA\xe2\x80\x99s\ninternal incidents log, 616 security events were detected between October 2006\nand June 2007. CSIRC categorized these events as 212 incidents and 404\nfindings. According to CSIRC, an incident is a confirmed cyber event, which\nshould be reported, while a finding is a cyber event that is under investigation and\nshould not be reported. However, we found that CSIRC did not report 40\nincidents (about 20 percent) and, conversely, incorrectly reported 30 findings to\nTCIRC. FAA claimed that 31 of these 40 incidents were either repeated or\nduplicated incidents. However, FAA was not able to provide any evidence that\nthe original incidents had been reported. In addition, FAA indicated that two\nincidents were false-positives and did not need to be reported, even though they\nwere not recorded as false-positives in FAA\xe2\x80\x99s official log.\n\nThis inconsistent reporting happened partly because CSIRC did not have\ndocumented procedures for escalating findings to incidents once they were\nconfirmed and then reporting these to TCIRC. In addition, communication\nbreakdowns appear to be another contributing factor for incidents going\nunreported. For example, some incidents were detected during its weekend shift\nbut were not relayed to the weekday shift for TCIRC reporting.\n\nThe majority of the unreported incidents involved virus infections of FAA\ncomputers. Because these incidents did not get reported to TCIRC, they were, in\nturn, left unreported to US\xe2\x80\x93CERT. In order for proper coordination for defense\nagainst and response to cyber attacks Governmentwide, all incidents must be\nreported to the Department and US\xe2\x80\x93CERT.\n\nRecently, TCIRC\xe2\x80\x99s operation has been merged into FAA CSIRC as a consolidated\nunit known as the Cyber Security Management Center (CSMC). This merge\ninitiative was approved by the Department in positioning FAA to become an\n\n12\n     An incident is defined as the act of violating an explicit or implied security policy. It includes but is not limited to\n     attempts to gain unauthorized access to a system or its data, unwanted disruption or denial of service, or the\n     unauthorized use of a system for the processing or storage of data.\n\x0c                                                                                                         19\n\n\ninformation systems security shared service provider to offer cyber security\nservices to other Government agencies. Starting in FY 2008, CSMC will provide\nincident monitoring and reporting services to other Operating Administrations.\nEmploying a consistent reporting practice in line with established departmental\npolicies and procedures should be a prerequisite for FAA to provide services to the\nDepartment, and eventually to other Government agencies, as a shared service\nprovider for information system security.\n\nTo better prepare it to become a shared service provider, FAA also needs to\nenhance its performance measurement reporting to senior management on security\nincidents. During FY 2006, a cyber incident caused severe service degradation\nand forced FAA to shut down a portion of air traffic control systems because of a\nsecurity incident. FAA thoroughly investigated the incident, identified the cause\nof the problem, and implemented countermeasures to prevent it from occurring\nagain. Nonetheless, it inaccurately reported to the Secretary, OMB, and the\nCongress, in its Performance and Accountability Report, that \xe2\x80\x9cno successful cyber\nevents that significantly disabled or degraded our service\xe2\x80\x9d had taken place.\n\nFAA Took Renewed Initiatives in Correcting Air Traffic Control\nSystem Security Weaknesses\n\nThe President has designated FAA\xe2\x80\x99s air traffic control systems as part of the\nNation\xe2\x80\x99s critical infrastructure, due to the important role commercial aviation\nplays in fostering and sustaining the national economy and ensuring citizens\xe2\x80\x99\nsafety and mobility. In FY 2004, we reported deficiencies in protecting this\ncritical infrastructure in two areas: (1) continuity planning to restore essential air\nservice in case of prolonged service disruptions at en route centers and (2) review\nof operational air traffic control systems security outside of the computer\nlaboratory. Last year, we reported inadequate progress in both areas. FAA senior\nmanagement pledged aggressive action.\n\nFAA\xe2\x80\x99s renewed initiatives during 2007 were directly related to the leadership\nprovided by the Deputy Administrator (now Acting Administrator) and\ndemonstrated modest progress in developing a back-up continuity capability for\nrestoring essential en route air traffic control services. However, FAA has\nencountered several challenges.\n\n\xe2\x80\xa2 Measuring the loss of each en route center\xe2\x80\x99s impact on the National Airspace\n  System. 13 FAA\xe2\x80\x99s plan estimates restoration of 80 percent of any affected\n  en route center\xe2\x80\x99s capabilities within 3 weeks at a designated recovery site;\n  however, the impact that a disabled center will have on the National Airspace\n  System as a whole has not been assessed. Since en route centers rely on\n\n13\n  The National Airspace System is an interconnected system of airports, air traffic facilities and equipment,\n   navigational aids, and airways.\n\x0c                                                                                                                      20\n\n\n       adjacent centers to efficiently manage air traffic, the loss of each center could\n       cause a different ripple effect throughout the entire system. In order for FAA\n       to better understand the overall impact, it will need to conduct an impact\n       analysis on the effect that the loss of 20 percent of operational capability at\n       each en route center would have on the entire system. Because the plan would\n       shift functionality of the disabled center to the FAA recovery site located at its\n       Technical Center in Atlantic City, NJ, the analysis should also determine the\n       impact that an activated recovery plan will have on the Technical Center\xe2\x80\x99s core\n       mission\xe2\x80\x94developing and testing systems used to support air traffic control\n       operations and aircraft safety.\n\n\xe2\x80\xa2 Resolving continuity plan technical and resource concerns. The success of the\n  continuity plan hinges on FAA\xe2\x80\x99s ability to overcome logistical challenges.\n  These challenges include rerouting voice communications and surveillance\n  signals from the affected en route center to the recovery center, ensuring that\n  the spare en route center at the Technical Center is properly staffed in the event\n  it is activated, and coordinating with the appropriate labor unions for human\n  resource management. Another resource concern involves its funding. FAA\n  has budgeted $12 million for developing and implementing the continuity plan.\n  However, this funding level was not based on sufficient analysis or cost\n  estimates; rather, it was obtained by reallocating excess funds from current and\n  ongoing FAA projects. FAA should complete a cost and schedule analysis to\n  better determine the estimated costs and use these figures to secure additional\n  funding commitments, if needed.\n\nRegarding reviews of operational air traffic control systems security, FAA\ndeveloped a methodology to select high-risk systems located in the field for\ntesting. In fact, FAA went beyond our recommendation and applied this\nmethodology to systems other than those used for air traffic control. However,\nFAA did not meet its commitment to us to complete its reviews of all TRACON\nand tower systems by the end of FY 2007. 14 Further, despite the improved\nsite-selection methodology, FAA did not enhance its methodology to help identify\nsoftware differences between the baseline systems at the Tech Center and the\noperational air traffic control systems in the field. This deficiency could weaken\noverall security protection because vulnerabilities could inadvertently be created\nwhen software changes are made to meet local (field site) operational needs, as\nevidenced in our previous audit reports. Due to the sensitivity of air traffic control\nsystems, we will issue a separate report detailing progress, potential challenges,\nand recommendations.\n\n\n\n14\n     A Terminal Radar Approach Control facility (TRACON) is an Air Traffic Control Center usually located within the\n     vicinity of a large airport that controls aircraft within 30-50 nautical miles of the airport between the surface and\n     10,000 feet. Towers are located on the airport and control landing and departing aircraft.\n\x0c                                                                                                           21\n\n\nModest Progress Was Made in Implementing Earned Value\nManagement\n\nSince FY 2002, OMB has required the use of EVM as a project management tool\nfor major IT investments. This process is intended to ensure that data produced\nthrough EVM are reliable enough to allow objective reporting of project status,\nproduce early warning signs of impending schedule delays and cost overruns, and\nprovide estimates of anticipated costs at completion based on actual progress made\nagainst the planned work.\n\nAs stated in last year\xe2\x80\x99s report, EVM can have a significant impact on the success\nof an IT acquisition because it heightens departmental Investment Review Board\n(IRB) visibility into whether the major IT investment is on target with respect to\ncost, schedule, and technical performance. 15 We have made recommendations in\nthe past that would require Operating Administration management to improve\nEVM practices to ensure that the IRB and OMB have reliable and quantifiable\ndata available with which to make effective IT investment decisions.\n\nThis year, Operating Administrations reported that 35 percent of major\ndepartmental IT investments met at least half of OMB\xe2\x80\x99s criteria for EVM\nimplementation, OMB\xe2\x80\x99s memorandum M-05-23,16 which lists 32 criteria for EVM\ncompliance. This represents a modest improvement from the 23 percent reported\nlast year (see Table 7).\n\n              Table 7. Departmental Major IT Investment EVM Status\n                                                                     OMB\xe2\x80\x99s EVM\n                                Major IT                (Meeting 50 percent or greater criteria)\n        Operating             Investments\n      Administrationa          (Requiring                 FY 2006                          FY 2007\n                                 EVM)            Investments        Percent      Investments         Percent\n     FAA                                   21               6          29%                10            48%\n     Other                                 10               1          10%                  1           10%\n     Total                                 31               7          23%                11            35%\n     Data Source: Department\xe2\x80\x99s EVM Quarterly Report, 5/2007, and FAA EVM Self Assessment, 6/2007.\n     a\n       See Exhibit C for full Operating Administration names.\n\n\nWhile FAA made more progress than other Operating Administrations in\nenhancing EVM implementation, it still faces a significant challenge and requires\ncontinued management attention. In FY 2007 OMB identified 22 departmental\nmajor investments as high-risk and required the Department to promote more\neffective oversight by establishing and validating performance measurement\nbaselines, specifically through the use of EVM, for 12 investments. FAA is\nresponsible for managing all of these 12 high-risk investment projects, 5 of which\nhave not met half of the OMB EVM implementation requirements. One of these\n15\n     OIG Report \xe2\x80\x9cAudit of Information Security Program,\xe2\x80\x9d Report Number FI-2007-002, October 23, 2006.\n16\n     Improving Information Technology (IT) Project Planning and Execution, OMB M-05 23, August 4, 2005.\n\x0c                                                                                              22\n\n\nsystems is the Automatic Dependent Surveillance-Broadcast (ADS-B) system.\nCongress specifically requires FAA to use EVM to manage development cost and\nschedule because of its importance to future air traffic control operations. These\nfive investments account for about $10 billion in life-cycle cost estimates; half of\nthe total high-risk investment life-cycle estimated cost (see Table 8).\n\n                 Table 8. FAA Major High-Risk IT Investments\n                                                               Project Met         Project Met\n                                                              50% of OMB\xe2\x80\x99s        50% of OMB\xe2\x80\x99s\n                                              Life-Cycle\n                                                                   EVM                 EVM\n        High-Risk IT Investments                Dollars\n                                                             Implementation      Implementation\n                                             (in Millions)\n                                                              Criteria in FY      Criteria in FY\n                                                                  2006                2007\n       Automated Surface Observing\n 1     System/Automated Weather                    $1,075                  NO                NO\n       Observing System (ASOS/AWOS)\n       Wide Area Augmentation System\n 2                                                 $4,225                  NO                NO\n       (WAAS)\n       FAA Telecommunications\n 3                                                 $2,289                  NO                NO\n       Infrastructure (FTI)\n       System-Wide Information                                          new\n 4                                                   $431                                    NO\n       Management (SWIM)                                         development\n       Automatic Dependent                                              new\n 5                                                 $2,341                                    NO\n       Surveillance-Broadcast (ADS-B)                            development\n       Sub-total                                  $10,361\n       Standard Terminal Automation\n 6                                                 $3,580                  NO               YES\n       Replacement System (STARS)\n       Terminal Radar Digitizing,\n 7     Replacement, and Establishment              $1,148                  NO               YES\n       (TRDRE) (ASR-11)\n       Oceanic Automation System:\n 8     Advanced Technologies and                   $1,605                  NO               YES\n       Oceanic Procedures (ATOP)\n       Next Generation VHF Air/Ground\n 9                                                   $440                YES                YES\n       Communications (NEXCOM)\n       En Route Automation\n 10                                                $2,843                YES                YES\n       Modernization (ERAM)\n       Terminal Automation\n 11    Modernization and Replacement                 $178                YES                YES\n       (TAMR)\n 12    Traffic Flow Management (TFM)                $968                 YES                YES\n                                Sub-total         $10,762\n                                   Total          $21,123\n Data Source: FAA EVM Self-Assessment, 6/2007, and OMB High Risk IT Projects, 6/30/2007.\n\nAnother area requiring management attention is that the CIO Office has not\ndeveloped procedures to verify Operating Administrations\xe2\x80\x99 EVM progress\nreporting. During FY 2007, the CIO Office devoted resources to other higher\npriority initiatives, such as the move to the new Headquarters and revising IRB\ncharters for IT governance issues.     However, the CIO Office continues to use\nthese EVM data submitted by the Operating Administrations to report the status of\ninvestments to OMB and senior departmental officials. Until the Department\n\x0c                                                                                23\n\n\nadequately implements EVM processes, it has limited assurance that the\ninformation used for tracking the cost, schedule, and performance of its\ninvestments is reliable. As reported last year, the CIO Office needs to develop a\nwork plan to guide and measure EVM implementation in the Department.\n\nRECOMMENDATIONS\nIn order to strengthen the Department\xe2\x80\x99s information security program, we\nrecommend that the Chief Information Officer:\n\nEnhance the protection of information systems by:\n1.   Working with the Acting FAA Administrator to establish target dates for\n     correcting air traffic control systems\xe2\x80\x99 risk categorization in accordance with\n     departmental policy;\n2.   Working with the affected Operating Administrations to ensure proper risk\n     categorization and security protection of systems containing personally\n     identifiable information;\n3.   Requiring Operating Administration CIOs and system owners to identify and\n     implement security upgrades needed to meet minimum security standards by\n     March 31, 2008; and\n4.   Establishing a security test and evaluation process for all departmental\n     systems operating on the common IT infrastructure after the security controls\n     review is complete for the expanded infrastructure.\n\nEnhance correction of identified security deficiencies by:\n5.   Working with Operating Administrators to develop measures of\n     accountability that would hold Operating Administration CIOs and system\n     owners responsible for timely correction, and decisions to support\n     cancellations, of identified security weaknesses, such as incorporating these\n     measures as part of their performance standards.\n\nEnhance network security configuration by:\n6.   Working with Operating Administrations to establish an effective\n     methodology to ensure that commercial software products used in\n     departmental systems are configured in accordance with security standards;\n     and deploying an automated tool to systematically verify compliance with\n     departmental baseline configuration standards; and\n7.   Finalizing the secure remote access implementation and management policy;\n     and continuing to explore alternatives to using employee home computers for\n     telework, such as having a pool of Government-issued laptop computers that\n     are properly configured and in compliance with departmental security\n     standards to support telework.\n\x0c                                                                              24\n\n\n\nEnsure the consistency and timeliness of security incident reporting by:\n8.   Directing the FAA CSIRC to establish consistent procedures to ensure that\n     all security incidents are reported to the Department and US\xe2\x80\x93CERT in a\n     timely manner;\n9.   Conducting periodic reviews of the effectiveness of FAA\xe2\x80\x99s security incident\n     reporting practice; and\n10. Working with the FAA CIO to ensure accurate security performance\n    measurement reporting in the Performance and Accountability Report to\n    OMB and the Congress.\n\nEnhance the Department\xe2\x80\x99s implementation of earned value management by:\n11. Working with Operating Administration CIOs to establish goals for\n    improving EVM implementation in all major investment projects; and\n12. Performing an EVM system compliance assessment based on Operating\n    Administration progress reporting.\n\n\n\nMANAGEMENT COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nA draft of this report was provided to the Department\xe2\x80\x99s Chief Information Officer\non September 28, 2007. On October 4, we received the Department\xe2\x80\x99s Chief\nInformation Officer\xe2\x80\x99s response, which can be found in the appendix. The Chief\nInformation Officer generally concurred with the report\xe2\x80\x99s findings and\nrecommendations and will provide details in 30 days, describing the specific\nactions and milestones that will be taken to implement the recommendations.\n\x0c                                                                                 25\n\n\nACTIONS REQUIRED\n\nWe will review the Chief Information Officer\xe2\x80\x99s detailed action plans to determine\nwhether they satisfy the intent of our recommendations. All corrections are\nsubject to follow-up provisions in DOT Order 8000.1.C. We appreciate the\ncourtesies and cooperation of the CIO Office and the Operating Administrations\xe2\x80\x99\nrepresentatives during this audit. If you have any questions concerning this report,\nplease call me at (202) 366-1959; David Dobbs, Principal Assistant Inspector\nGeneral for Auditing and Evaluation, at (202) 366-0500; or Rebecca C. Leng,\nAssistant Inspector General for Financial and Information Technology Audits, at\n(202) 366-1496.\n\n\n                                         #\n\ncc: Deputy Secretary\n    Assistant Secretary for Budget and Programs/Chief Financial Officer\n    Acting Federal Aviation Administrator\n    CIO Council Members\n    Martin Gertel, M-1\n\x0c                                                                                                                                                                                                          26\n                  EXHIBIT A. OIG INPUT TO FISMA REPORT\n                                                                         Question 1: FISMA Systems Inventory\n1. As required in FISMA, the IG shall evaluate a representative subset of systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency.\nIn the table below, identify the number of agency and contractor information systems, and the number reviewed, by component/bureau and FIPS 199 system impact level (high, moderate, low, or not categorized).\nExtend the worksheet onto subsequent pages if necessary to include all Component/Bureaus.\nAgency systems shall include information systems used or operated by an agency. Contractor systems shall include information systems used or operated by a contractor of an agency or other organization on behalf of an\nagency. The total number of systems shall include both agency systems and contractor systems.\nAgencies are responsible for ensuring the security of information systems used by a contractor of their agency or other organization on behalf of their agency; therefore, self reporting by contractors does not meet the\nrequirements of law. Self-reporting by another Federal agency, for example, a Federal service provider, may be sufficient. Agencies and service providers have a shared responsibility for FISMA compliance.\n\n     Question 2: Certification and Accreditation, Security Controls Testing, and Contingency Plan Testing\n2. For the Total Number of Systems reviewed by Component/Bureau and FIPS System Impact Level in the table for Question 1, identify the number and percentage of systems which have: a current certification\nand accreditation, security controls tested and reviewed within the past year, and a contingency plan tested in accordance with policy.\n                                                                                 Question 1                                                                                      Question 2\n                                           a. Agency Systems                  b. Contractor               c. Total Number of              a. Number of systems            b. Number of systems              c. Number of systems\n                                                                                 Systems                       Systems                        certified and                 for which security             for which contingency\n                                                                                                        (Agency and Contractor                 accredited                   controls have been             plans have been tested\n                                                                                                               systems)                                                   tested and reviewed in             in accordance with\n                                                                                                                                                                               the past year                        policy\n                                                                                                                           Total\nBureau         FIPS 199 System                            Number                         Number           Total                             Total            % of           Total            % of           Total            % of\n                                          Number                         Number                                           Number\n Name          Impact Level                              Reviewed                       Reviewed         Number                            Number            Total         Number            Total         Number            Total\n                                                                                                                         Reviewed\n               High                             19                0              0                0            19                 0                 0                               0                              0\n               Moderate                        159                2              7                0           166                 2                 2         100%                  1           50%                1            50%\n  FAA          Low                              75                6              4                1            79                 7                 7         100%                  6           86%                0             0%\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                       253                8             11                1           264                 9                 9         100%                  7           78%                1            11%\n               High                              6                0              0                0             6                 0                 0                               0                              0\n               Moderate                         13                2              1                0            14                 2                 0            0%                 0            0%                0             0%\n FHWA          Low                               5                0              0                0             5                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        24                2              1                0            25                 2                 0            0%                 0            0%                0             0%\n               High                              1                0              0                0             1                 0                 0                               0                              0\n               Moderate                         21                1              0                0            21                 1                 1         100%                  0            0%                1           100%\nFMCSA          Low                               1                0              0                0             1                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        23                1              0                0            23                 1                 1         100%                  0            0%                1           100%\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                         19                0              0                0            19                 0                 0                               0                              0\n  FRA          Low                               1                0              0                0             1                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        20                0              0                0            20                 0                 0                               0                              0\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          3                0              0                0             3                 0                 0                               0                              0\n  FTA          Low                               2                0              0                0             2                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                         5                0              0                0             5                 0                 0                               0                              0\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          7                3              0                0             7                 3                 1           33%                 0            0%                0             0%\nMARAD          Low                               4                0              0                0             4                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        11                3              0                0            11                 3                 1           33%                 0            0%                0             0%\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          7                0              3                1            10                 1                 1         100%                  0            0%                1           100%\nNHTSA          Low                               8                0              0                0             8                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        15                0              3                1            18                 1                 1         100%                  0            0%                1           100%\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          2                0              0                0             2                 0                 0                               0                              0\n  OIG          Low                               1                0              0                0             1                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                         3                0              0                0             3                 0                 0                               0                              0\n               High                              5                2              0                0             5                 2                 2         100%                  1           50%                0             0%\n               Moderate                         23                2              0                0            23                 2                 2         100%                  1           50%                0             0%\n  OST          Low                              14                0              0                0            14                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        42                4              0                0            42                 4                 4         100%                  2           50%                0             0%\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          3                1              0                0             3                 1                 1         100%                  0            0%                1           100%\nPHMSA          Low                               2                0              0                0             2                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                         5                1              0                0             5                 1                 1         100%                  0            0%                1           100%\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          9                0              0                0             9                 0                 0                               0                              0\n RITA          Low                               1                0              0                0             1                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                        10                0              0                0            10                 0                 0                               0                              0\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          0                0              0                0             0                 0                 0                               0                              0\nSLSDC          Low                               1                0              0                0             1                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                         1                0              0                0             1                 0                 0                               0                              0\n               High                              0                0              0                0             0                 0                 0                               0                              0\n               Moderate                          2                0              0                0             2                 0                 0                               0                              0\n  STB          Low                               0                0              0                0             0                 0                 0                               0                              0\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Sub-total                         2                0              0                0             2                 0                 0                               0                              0\n               High                             31                2              0                0            31                 2                 2         100%                  1           50%                0             0%\nAgency         Moderate                        268               11             11                1           279                12                 8          67%                  2           17%                4            33%\nTotals         Low                             115                6              4                1           119                 7                 7         100%                  6           86%                0             0%\n               Not Categorized                   0                0              0                0             0                 0                 0                               0                              0\n               Total                           414               19             15                2           429                21                17           81%                 9           43%                4            19%\n\n\n\n Exhibit A. OIG Input to FISMA Report\n\x0c                                                                                                     27\n\n\n\n                                         Question 3:\n    Evaluation of Oversight of Contractor Systems and Quality of Agency System Inventory\n           The agency performs oversight and evaluation to ensure\n           information systems used or operated by a contractor of the\n           agency or other organization on behalf of the agency meet the\n           requirements of FISMA, OMB policy and NIST guidelines,\n           national security policy, and agency policy.\n           Agencies are responsible for ensuring the security of information\n           systems used by a contractor of their agency or other organization\n           on behalf of their agency; therefore, self reporting by contractors\n           does not meet the requirements of law. Self-reporting by another\n                                                                                        Almost Always\n           Federal agency, for example, a Federal service provider, may be\n    3.a.   sufficient. Agencies and service providers have a shared                  (96-100% of the time)\n           responsibility for FISMA compliance.\n           Response Categories:\n            - Rarely- for example, approximately 0-50% of the time\n            - Sometimes- for example, approximately 51-70% of the time\n            - Frequently- for example, approximately 71-80% of the time\n            - Mostly- for example, approximately 81-95% of the time\n            - Almost Always- for example, approximately 96-100% of the\n               time\n           The agency has developed a complete inventory of major\n           information systems (including major national security\n           systems) operated by or under the control of such agency,\n           including an identification of the interfaces between each such\n           system and all other systems or networks, including those not\n           operated by or under the control of the agency.\n                                                                                 Inventory is 96-100% complete\n    3.b.   Response Categories:\n            -   The inventory is approximately 0-50% complete\n            -   The inventory is approximately 51-70% complete\n            -   The inventory is approximately 71-80% complete\n            -   The inventory is approximately 81-95% complete\n            -   The inventory is approximately 96-100% complete\n\n           The IG generally agrees with the CIO on the number of\n    3.c.                                                                                     Yes\n           agency-owned systems. Yes or No.\n\n           The IG generally agrees with the CIO on the number of\n           information systems used or operated by a contractor of the\n    3.d.                                                                                     Yes\n           agency or other organization on behalf of the agency. Yes or\n           No.\n           The agency inventory is maintained and updated at least\n    3.e.   annually.                                                                         Yes\n           Yes or No.\n\n           If the Agency IG does not evaluate the Agency\'s inventory as 96-100% complete, please identify the\n           known missing systems by Component/Bureau, the Unique Project Identifier (UPI) associated with\n    3.f.\n           the system as presented in your FY2008 Exhibit 53 (if known), and indicate if the system is an\n           agency or contractor system.\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                                                        28\n\n\n                                              Question 4:\n                    Evaluation of Plan of Action and Milestones (POA&M) Process\n    Assess whether the agency has developed, implemented, and is managing an agency-wide plan of action\n    and milestones (POA&M) process. Evaluate the degree to which each statement reflects the status in your\n    agency by choosing from the responses provided. If appropriate or necessary, include comments in the\n    area provided.\n    For each statement in items 4.a. through 4.f., select the response category that best reflects the agency\'s\n    status.\n    Response Categories:\n     - Rarely- for example, approximately 0-50% of the time\n     - Sometimes- for example, approximately 51-70% of the time\n     - Frequently- for example, approximately 71-80% of the time\n     - Mostly- for example, approximately 81-95% of the time\n     - Almost Always- for example, approximately 96-100% of the time\n          The POA&M is an agency-wide process, incorporating all\n          known IT security weaknesses associated with information                         Sometimes\n    4.a.\n          systems used or operated by the agency or by a contractor of                (51-70% of the time)\n          the agency or other organization on behalf of the agency.\n           When an IT security weakness is identified, program officials                   Sometimes\n    4.b.   (including CIOs, if they own or operate a system) develop,\n           implement, and manage POA&Ms for their system(s).                          (51-70% of the time)\n\n           Program officials and contractors report their progress on                    Almost Always\n    4.c.   security weakness remediation to the CIO on a regular basis\n           (at least quarterly).                                                      (96-100% of the time)\n\n           Agency CIO centrally tracks, maintains, and reviews POA&M                     Almost Always\n    4.d.\n           activities on at least a quarterly basis.                                  (96-100% of the time)\n\n                                                                                         Almost Always\n    4.e.   IG findings are incorporated into the POA&M process.\n                                                                                      (96-100% of the time)\n\n           POA&M process prioritizes IT security weaknesses to help                        Frequently\n    4.f.   ensure significant IT security weaknesses are addressed in a\n           timely manner and receive appropriate resources.                           (71-80% of the time)\n\n    Comments:\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                                                            29\n\n\n                                              Question 5:\n                       IG Assessment of the Certification and Accreditation Process\n    Provide a qualitative assessment of the agency\'s certification and accreditation process, including\n    adherence to existing policy, guidance, and standards. Provide narrative comments as appropriate.\n    Agencies shall follow NIST Special Publication 800-37, "Guide for the Security Certification and Accreditation\n    of Federal Information Systems" (May 2004) for certification and accreditation work initiated after May 2004.\n    This includes use of the FIPS 199, "Standards for Security Categorization of Federal Information and Information\n    Systems" (February 2004) to determine a system impact level, as well as associated NIST document used as\n    guidance for completing risk assessments and security plans.\n\n           The IG rates the overall quality of the Agency\'s certification\n           and accreditation process as:\n           Response Categories:\n    5.a.    -   Excellent                                                                    Satisfactory\n            -   Good\n            -   Satisfactory\n            -   Poor\n            -   Failing\n\n                                                                                Security plan                    Yes\n\n           The IG\'s quality rating included or considered the following         System impact level              Yes\n    5.b.\n           aspects of the C&A process:\n                                                                                System test and\n                                                                                                                 Yes\n                                                                                evaluation\n\n                                                                                Security control testing         Yes\n\n                                                                                Incident handling                Yes\n\n                                                                                Security awareness\n                                                                                                                 Yes\n                                                                                training\n\n                                                                                Configurations/patching          Yes\n\n                                                                                Other: Contingency Planning\n\n    Comments:         Item 5.a. We identified a concern with FAA\xe2\x80\x99s risk-impact analyses of air traffic control systems\n    in both FYs 2006 and 2007. Specifically, of about 100 systems used to direct air traffic control operations, none\n    were reported as having a high-risk impact. Systems identified by FAA as high-risk impact are primarily for\n    administrative functions, such as the procurement system. After this issue was brought to management\xe2\x80\x99s\n    attention again this year, the departmental CIO, the FAA Acting Deputy Administrator, and the FAA CIO all\n    agreed to collaborate with Air Traffic Organization business owners to ensure that air traffic control systems are\n    individually reviewed and categorized in accordance with NIST standards and DOT policy, as a key priority for\n    FY 2008. We considered this commitment in our evaluation of the overall quality of the Department\xe2\x80\x99s\n    certification and accreditation process. We plan to follow up with FAA on this issue throughout FY 2008.\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                                  30\n\n\n                                           Question 6:\n           IG Assessment of Privacy Program and Privacy Impact Assessment (PIA) Process\n            Provide a qualitative assessment of the agency\'s Privacy\n            Impact Assessment (PIA) process, as discussed in Section D\n            II.4 (SAOP reporting template), including adherence to\n            existing policy, guidance, and standards.\n            Response Categories:\n                                                                           Good\n    6.a.     -   Response Categories:\n             -   Excellent\n             -   Good\n             -   Satisfactory\n             -   Poor\n             -   Failing\n\n    Comments:\n\n\n            Provide a qualitative assessment of the agency\'s progress to\n            date in implementing the provisions of M-06-15,\n            "Safeguarding Personally Identifiable Information" since the\n            most recent self-review, including the agency\'s policies and\n            processes, and the administrative, technical, and physical\n            means used to control and protect personally identifiable\n            information (PII).\n                                                                           Good\n    6.b.    Response Categories:\n             -   Response Categories:\n             -   Excellent\n             -   Good\n             -   Satisfactory\n             -   Poor\n             -   Failing\n    Comments:\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                                                            31\n\n\n                                                   Question 7:\n                                            Configuration Management\n\n           Is there an agency-wide security configuration policy?\n    7.a.                                                                                           Yes\n           Yes or No.\n\n    Comments:         Currently, the Department has a draft policy called DOT Information Technology and\n                      Information Assurance policy 2007-XX: FISMA Information System Security Baseline\n                      configuration policy. When it becomes the final, this policy supersedes departmental IA/IT\n                      policy, issued on April 3, 2006\n\n           Approximate the extent to which applicable information\n           systems apply common security configurations established by\n           NIST.\n           Response categories:\n    7.b.                                                                                          Rarely\n            -   Rarely- for example, approximately 0-50% of the time\n            -   Sometimes- for example, approximately 51-70% of the time                   (0-50% of the time)\n            -   Frequently- for example, approximately 71-80% of the time\n            -   Mostly- for example, approximately 81-95% of the time\n            -   Almost Always- for example, approximately 96-100% of the\n                time\n\n                                                      Question 8:\n                                                  Incident Reporting\n    Indicate whether or not the agency follows documented policies and procedures for reporting incidents\n    internally, to US-CERT, and to law enforcement. If appropriate or necessary, include comments in the\n    area provided below.\n\n           The agency follows documented policies and procedures for\n    8.a.                                                                                           Yes\n           identifying and reporting incidents internally. Yes or No.\n\n           The agency follows documented policies and procedures for\n    8.b.   external reporting to US-CERT.                                                          Yes\n           Yes or No. (http://www.us-cert.gov)\n\n           The agency follows documented policies and procedures for\n    8.c.   reporting to law enforcement.                                                           Yes\n           Yes or No.\n\n    Comments:         While we answered \xe2\x80\x9cYes\xe2\x80\x9d to item 8a, we found that FAA did not report 40 security incidents,\n                      which account for approximately 14% of the total security incidents in the first three quarters of\n                      FY 2007, to the Department. FAA claimed that 31 of these 40 incidents were either repeated or\n                      duplicated incidents. However, FAA was not able to provide any evidence that the original\n                      incidents had been reported. In addition, FAA indicated that two incidents were false-positives\n                      and did not need to be reported, even though they were not recorded as false-positives in FAA\xe2\x80\x99s\n                      official log.\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                                             32\n\n\n                                                 Question 9:\n                                        Security Awareness Training\n    Has the agency ensured security awareness training of all employees,\n    including contractors and those employees with significant IT\n    security responsibilities?\n    Response Categories:                                                        Frequently\n     -   Rarely- or approximately 0-50% of employees                       (71-80% of employees)\n     -   Sometimes- or approximately 51-70% of employees\n     -   Frequently- or approximately 71-80% of employees\n     -   Mostly- or approximately 81-95% of employees\n     -   Almost Always- or approximately 96-100% of employees\n\n                                                Question 10:\n                                          Peer-to-Peer File Sharing\n    Does the agency explain policies regarding peer-to-peer file sharing\n    in IT security awareness training, ethics training, or any other               Yes\n    agency wide training? Yes or No.\n\n                                              Question 11:\n                                    E-Authentication Risk Assessments\n\n    The agency has completed system e-authentication risk assessments.\n                                                                                   Yes\n    Yes or No.\n\n\n\n\nExhibit A. OIG Input to FISMA Report\n\x0c                                                                              33\n\n\n\n\nEXHIBIT B. SCOPE AND METHODOLOGY\nDuring FY 2007, we fulfilled the requirements of the Federal Information Security\nManagement Act of 2002 by reviewing the progress made in meeting the\nminimum Government security standards to protect sensitive information systems\nand data, determining whether the network operating environment at the\nDepartment\xe2\x80\x99s new Headquarters building is secure, identifying corrections made\nto security weaknesses previously identified, and evaluating the Department\xe2\x80\x99s use\nof earned value management for its major IT investment projects. In addition, we\nsampled 21 systems that had undergone system security reviews to determine\nwhether the Operating Administrations had complied with governmental and\ndepartmental standards in assessing system risks, identifying security\nrequirements, testing security controls, and accrediting systems to support\nbusiness operations.\n\nWe assessed the Department\xe2\x80\x99s progress in correcting weaknesses identified in last\nyear\xe2\x80\x99s FISMA review and contributed to the FISMA report by rating departmental\nprogress in areas specified by OMB.\n\nWe used the audit methodologies recommended by the Government\nAccountability Office and guidelines issued by other Government authorities such\nas the National Institute of Standards and Technology. We also used commercial\nscanning software to assess network vulnerabilities.\n\nWe performed our information security review work throughout FY 2007,\nfocusing on FISMA evaluation between March and September 2007 at\ndepartmental and Operating Administration Headquarters offices in the\nWashington, DC, metropolitan area. This performance audit was conducted in\naccordance with Generally Accepted Government Auditing Standards prescribed\nby the Comptroller General of the United States and included such tests as we\nconsidered necessary to detect fraud, waste, and abuse.\n\nPrevious audit reports on the Department\xe2\x80\x99s information security program issued in\nresponse to the FISMA legislative mandate (formerly the Government Information\nSecurity Reform Act [GISRA]) include:\n\nDOT Information Security Program, FI-2007-002, October 23, 2006;\nDOT Information Security Program, FI-2006-002, October 7, 2005;\nDOT Information Security Program, FI-2005-001, October 1, 2004;\nDOT Information Security Program, FI-2003-086, September 25, 2003;\nDOT Information Security Program, FI-2002-115, September 27, 2002; and\nDOT Information Security Program, FI-2001-090, September 7, 2001.\n\n\n\nExhibit B. Scope and Methodology\n\x0c                                                                                                    34\n\n\n\n\nEXHIBIT C. DEPARTMENTAL OPERATING ADMINISTRATIONS\nAND SYSTEM INVENTORY COUNTS\nOperating Administration                                  Acronym           FY 2006       FY 2007\n\nFederal Aviation Administration                              FAA                263           264\n\nFederal Highway Administration                              FHWA                 23            25\n\nFederal Motor Carrier Safety Administration                FMCSA                 22            23\n\nFederal Railroad Administration                              FRA                 22            20\n\nFederal Transit Administration                               FTA                   6            5\n\nMaritime Administration                                    MARAD                 12            11\n\nNational Highway Traffic Safety\n                                                           NHTSA                 18            18\nAdministration\n\nOffice of Inspector General                                   OIG                  3            3\n\nOffice of the Secretary                                      OST                 40            42\n\nPipeline and Hazardous Materials Safety\n                                                           PHMSA                   5            5\nAdministration\n\nResearch and Innovative Technology\n                                                             RITA                  9           10\nAdministration\n\nSaint Lawrence Seaway Development\n                                                            SLSDC                  1            1\nCorporation\n\nSurface Transportation Board                                 STB                   2            2\n\n    Total Systems                                                               426           429\nData Source: OIG report \xe2\x80\x9cAudit of Information Security Program,\xe2\x80\x9d Report Number FI-2007-002,\nOctober 23, 2006, and Enterprise Security Portal as of 9/5/2007\n\n\n\n\nExhibit C. Departmental Operating Administrations and System\nInventory Counts\n\x0c                                                                  35\n\n\n\n\nEXHIBIT D. MAJOR CONTRIBUTORS TO THIS REPORT\n\n\nName                                   Title\n\nEd Densmore                            Program Director\nMichael Marshlick                      Project Manager\xe2\x80\x94Senior\n                                       Computer Science Adviser\nJoann Adam                             Project Manager\nNathan Custer                          Project Manager\nDr. Ping Z. Sun                        Project Manager\nMichael P. Fruitman                    Communications Adviser\nLynn Dowds                             Senior Auditor\nJim Mallow                             Senior Auditor\nTim Roberts                            Senior Auditor\nHenry Lee                              Computer Scientist\nMitchell Balakit                       Information Technology\n                                       Specialist\nChristopher Cullerot                   Information Technology\n                                       Specialist\nAtul Darooka                           Information Technology\n                                       Specialist\nVasily Gerasimov                       Information Technology\n                                       Specialist\nAnn Moles                              Information Technology\n                                       Specialist\nMartha Morrobel                        Information Technology\n                                       Specialist\nRaj Singh                              Information Technology\n                                       Specialist\n\n\n\n\nExhibit D. Major Contributors to This Report\n\x0c                                                                                                    36\n\n\n                  APPENDIX. MANAGEMENT COMMENTS\n\n\n\n\nSubject:   Office of the Chief Information Officer Response to Office of   Date: 10/4/07\n           Inspector General Federal Information Security Management\n           Act (FISMA) Audit Draft Report\n\n From:     Daniel G. Mintz\n           DOT Chief Information Officer, S-80\n\n    To:    Rebecca Leng\n           Technology and Computer Security, (JA-20)\n\n\n           The Department of Transportation (DOT) Chief Information Officer (CIO) officials reviewed\n           the Office of Inspector General (OIG\xe2\x80\x99s) draft final FY 2007 Information Security Program\n           Audit Report and provided oral comments.\n\n           CIO officials generally concurred with the report\xe2\x80\x99s findings and recommendations and will\n           provide written comments describing the specific actions and milestones that will be taken to\n           implement the recommendations, 30 days after the signing date of the official FY 2007\n           FISMA Report.\n\n           The OCIO office appreciates the working relationship developed during this audit and looks\n           forward to the OIG\xe2\x80\x99s continued involvement during FY 2008 with \xe2\x80\x9cGetting back to Green\xe2\x80\x9d\n           remediation efforts.\n\n           If you have any questions, please contact Phillip Loranger, Chief Information Security\n           Officer and Deputy Associate CIO for IT Investments, at phillip.loranger@dot.gov or\n           (202) 366-5636.\n\n\n\n\n                  Appendix. Management Comments\n\x0c                                                                            37\n\n\nThe following pages contain textual versions of the graphs and charts found in this\ndocument. These pages were not in the original document but have been added\nhere to accommodate assistive technology.\n\x0c                                                                              38\n\n\n                       Information Security Program\n                     Section 508 Compliance Presentation\n\n\nFigure 1. Operating Administrations With Highest Ratios of Overdue\nCorrections\n\n   \xe2\x80\xa2 For FHWA 282 POA&Ms are open and 246 POA&Ms are 6+ months\n     overdue\n   \xe2\x80\xa2 For FRA 287 POA&Ms are open and 269 POA&Ms are 6+ months\n     overdue\n   \xe2\x80\xa2 For PHMSA 105 POA&Ms are open and 104 POA&Ms are 6+ months\n     overdue\n\n\nFigure 2. Operating Administrations\xe2\x80\x99 Total Systems and Percentages of\nSystems Reported as Having Met Baseline Security Configuration Standards\n\n   \xe2\x80\xa2 For FAA the total number of systems is 264 and number of systems\n     reported to have met security baseline configuration standards is 15. 6% of\n     FAA systems met baseline security configuration standard.\n   \xe2\x80\xa2 For FHWA the total number of systems is 25 and number of systems\n     reported to have met security baseline configuration standards is 3. 12% of\n     FHWA systems met baseline security configuration standard.\n   \xe2\x80\xa2 For FMCSA the total number of systems is 23 and number of systems\n     reported to have met security baseline configuration standards is 22. 96% of\n     FMCSA systems met baseline security configuration standard.\n   \xe2\x80\xa2 For FRA the total number of systems is 20 and number of systems reported\n     to have met security baseline configuration standards is 19. 95% of FRA\n     systems met baseline security configuration standard.\n   \xe2\x80\xa2 For FTA the total number of systems is 5 and number of systems reported\n     to have met security baseline configuration standards is 5. 100% of FTA\n     systems met baseline security configuration standard.\n   \xe2\x80\xa2 For MARAD the total number of systems is 11 and number of systems\n     reported to have met security baseline configuration standards is 0. 0% of\n     MARAD systems met baseline security configuration standard.\n   \xe2\x80\xa2 For NHTSA the total number of systems is 18 and number of systems\n     reported to have met security baseline configuration standards is 16. 89% of\n     NHTSA systems met baseline security configuration standard.\n   \xe2\x80\xa2 For OIG the total number of systems is 3 and number of systems reported\n     to have met security baseline configuration standards is 3. 100% of OIG\n     systems met baseline security configuration standard.\n\x0c                                                                           39\n\n\n\xe2\x80\xa2 For OST the total number of systems is 42 and number of systems reported\n  to have met security baseline configuration standards is 29. 69% of OST\n  systems met baseline security configuration standard.\n\xe2\x80\xa2 For PHMSA the total number of systems is 5 and number of systems\n  reported to have met security baseline configuration standards is 5. 100% of\n  PHMSA systems met baseline security configuration standard.\n\xe2\x80\xa2 For RITA the total number of systems is 10 and number of systems\n  reported to have met security baseline configuration standards is 9. 90% of\n  RITA systems met baseline security configuration standard.\n\xe2\x80\xa2 For SLSDC the total number of systems is 1 and number of systems\n  reported to have met security baseline configuration standards is 0. 0% of\n  SLSDC systems met baseline security configuration standard.\n\xe2\x80\xa2 For STB the total number of systems is 2 and number of systems reported\n  to have met security baseline configuration standards is 0. 0% of STB\n  systems met baseline security configuration standard.\n\n\nTable 7. Departmental Major IT Investment EVM Status\n\n   \xe2\x80\xa2 FAA has 21 major IT investments requiring EVM, out of which 6\n     investments or 29% met 50 percent or greater OMB EVM criteria in FY\n     2006 and 10 investments or 48% met 50 percent or greater OMB EVM\n     criteria in FY 2007\n   \xe2\x80\xa2 Other Operating Administrations have 10 major IT investments\n     requiring EVM, out of which 1 investment or 10% met 50 percent or\n     greater OMB EVM criteria in FY 2006 and 1 investment or 10% met 50\n     percent or greater OMB EVM criteria in FY 2007\n   \xe2\x80\xa2 Out of total 31 major IT investments requiring EVM, 7 investments or\n     23% met 50 percent or greater OMB EVM criteria in FY 2006 and 11\n     investments or 35% met 50 percent or greater OMB EVM criteria in FY\n     2007\n\x0c'